<p align="center"> <img src="docs/assets/demo.gif?v=2" alt="Aegis Demo" width="880"> </p>
What is Aegis
Every AI agent framework reinvents the same governance primitives — and each one does it slightly differently. Aegis is the abstraction layer that unifies them.
| Layer | What it does | Examples |
|---|---|---|
| 1. Primitives | A universal contract for every tool call | Action, ActionClaim, Policy, Result, DelegationChain, AuditEvent |
| 2. Adapters | Auto-instrument any framework through its own hooks | LangChain callbacks, CrewAI BeforeToolCallHook, OpenAI Agents tracing, Google ADK BasePlugin, MCP transport, DSPy modules, httpx middleware, Playwright context |
| 3. Governance | Declarative primitives you compose into policy | Prompt injection / PII / leak / toxicity guardrails, RBAC, rate limit, cost budget, drift detection, anomaly scoring, trust delegation, justification gap, selection audit, Merkle audit chain |
| 4. Lifecycle | One runtime, every stage of agent ops | Scan → Instrument → Policy CI/CD → Runtime → Proxy → Audit |
import aegis
aegis.auto_instrument() # 12 frameworks governed. No other code changes.Redis is to in-memory data structures what Aegis is to agent governance: one library, every primitive, every framework, one API. You don't write a LangChain guardrail and a CrewAI guardrail and an OpenAI guardrail — you write one Policy and every framework inherits it.
Primitives
The contract every adapter maps into. Framework-agnostic by design.
| Primitive | Purpose | Module |
|---|---|---|
Action | Unified representation of any tool / LLM / HTTP / MCP call across all frameworks | aegis.core.action |
ActionClaim | Tripartite structure — Declared (agent-authored) / Assessed (Aegis-computed) / Chain (delegation) | aegis.core.action_claim |
Policy | Declarative YAML rules: match → risk → approval (auto / approve / block) | aegis.core.policy |
ClaimPolicy | Policy layer that evaluates 6-dimensional impact vectors, not just tool names | aegis.core.claim_policy |
Guardrails | Deterministic regex checks for injection, PII, prompt leak, toxicity — 2.65ms cold / <1µs warm | aegis.guardrails |
DelegationChain | Multi-agent hand-off tracking with monotone trust constraint (non-increasing) | aegis.core.agent_identity |
AuditEvent | Tamper-evident append-only log, Merkle-chained, SQLite + JSONL + webhook sinks | aegis.core.merkle_audit |
SelectionAudit | Audits what an agent excludes, not just what it picks — detects cosmetic alignment | aegis.core.selection_audit |
JustificationGap | 6D asymmetric scoring: agents declare impact, Aegis independently assesses, gap triggers escalation | aegis.core.justification_gap |
CryptoAuditChain | Ed25519-signed chain for long-term compliance evidence | aegis.core.crypto_audit |
Every governance feature in Aegis — anomaly detection, cost budgets, drift, cascade guards, kill switches — is a composition of these primitives. Read the Concepts guide to see how they fit together.
Frameworks
One API. 12 agent frameworks + 3 protocol-level adapters.
| Framework | Hook | Status |
|---|---|---|
| LangChain | BaseChatModel.invoke/ainvoke, BaseTool.invoke/ainvoke | Stable |
| CrewAI | Crew.kickoff/kickoff_async, global BeforeToolCallHook | Stable |
| OpenAI Agents SDK | Runner.run, Runner.run_sync | Stable |
| OpenAI API | Completions.create (chat & completions) | Stable |
| Anthropic API | Messages.create | Stable |
| LiteLLM | completion, acompletion | Stable |
| Google GenAI | Models.generate_content (new + legacy) | Stable |
| Google ADK | BasePlugin lifecycle (tool calls, agent routing, sessions) | Stable |
| Pydantic AI | Agent.run, Agent.run_sync | Stable |
| LlamaIndex | LLM.chat/achat/complete/acomplete, BaseQueryEngine.query/aquery | Stable |
| Instructor | Instructor.create, AsyncInstructor.create | Stable |
| DSPy | Module.__call__, LM.forward/aforward | Stable |
| MCP | Transport-layer proxy for any MCP server (stdio / HTTP) | Stable |
| httpx | Middleware for raw HTTP egress (REST agents, webhooks) | Stable |
| Playwright | Browser context instrumentation for browsing agents | Stable |
auto_instrument() detects what's installed and patches only those — no hard dependencies. Custom adapters use the same BaseAdapter interface.
Default Guardrails
| Guardrail | Default | What it catches |
|---|---|---|
| Prompt injection | Block | 10 attack categories, 85+ patterns, multi-language (EN/KO/ZH/JA) |
| PII detection | Warn | 13 categories (email, credit card, SSN, IBAN, API keys, etc.) |
| Prompt leak | Warn | System prompt extraction attempts |
| Toxicity | Warn | Harmful, violent, or abusive content |
| MCP STDIO injection | Block | JSON-RPC injection, frame concatenation, unicode escape bypass (OX Security advisory) |
Deterministic regex — no LLM calls, no network. 2.65ms cold / <1µs warm per check.
Use Cases
The same primitives, five different entry points. Pick whichever matches your workflow.
1. Runtime protection (most common)
One line. Any framework.
import aegis
aegis.auto_instrument()Or zero code changes — AEGIS_INSTRUMENT=1 python my_agent.py. Injection blocking, PII masking, prompt-leak warnings, audit trail, and policy enforcement become active for every LangChain / CrewAI / OpenAI / Anthropic / LiteLLM / ADK / DSPy / LlamaIndex / Pydantic AI call.
Pydantic AI native capability — no monkey-patching, explicit per-agent control:
from pydantic_ai import Agent
from aegis.contrib.pydantic_ai import AegisCapability
agent = Agent(
"openai:gpt-4o-mini",
capabilities=[AegisCapability.default()], # injection, PII, toxicity, prompt-leak, hallucination
)
result = await agent.run("What is AI governance?")Full Pydantic AI integration guide →
2. Pre-production scanning
Find ungoverned AI calls before they ship.
pip install agent-aegis
aegis scan .Aegis Governance Scan
=====================
Scanned: 47 files in ./src
Found 5 ungoverned tool call(s):
agent.py:12 OpenAI function call with tools= — no governance wrapper [ASI02]
tools.py:8 LangChain @tool "search_db" — no policy check [ASI02]
llm.py:21 LiteLLM litellm.completion() — no governance wrapper [ASI02]
run.py:5 subprocess subprocess.run — direct shell execution [ASI08]
api.py:14 HTTP requests.post — raw HTTP in agent code [ASI07]
Governance Score: D (5 ungoverned call(s))Supports --format json|sarif|suggest, --threshold A-F, .aegisscanignore, and inline # aegis: ignore pragmas. Auto-fix with aegis scan --fix.
3. Policy CI/CD
Security tools protect at runtime. Aegis also manages the policy lifecycle — the same way you test and ship code.
aegis plan current.yaml proposed.yaml --audit-db aegis_audit.db
# Policy Impact Analysis
# Rules: 2 added, 1 removed, 3 modified
# Impact (replayed 1,247 actions):
# 23 actions would change from AUTO → BLOCKaegis test policy.yaml tests.yaml # Run in CI
aegis test policy.yaml --generate # Auto-generate test suite
aegis test new.yaml tests.yaml --regression old.yaml # Regression check# .github/workflows/policy-check.yml
- uses: Acacian/aegis@main
with:
policy: aegis.yaml
tests: tests.yaml
fail-on-regression: trueOr block ungoverned calls at PR time:
- uses: Acacian/aegis@v0.9.5
with:
command: scan
fail-on-ungoverned: true4. Audit & compliance
Every call is logged to a tamper-evident Merkle chain, with mappings to EU AI Act / NIST AI RMF / SOC2 built in.
aegis audit ID Session Action Target Risk Decision Result
1 a1b2c3d4... read crm LOW auto success
2 a1b2c3d4... bulk_update crm HIGH approved success
3 a1b2c3d4... delete crm CRITICAL block blockedSQLite + JSONL + webhook sinks. Ed25519 signing for long-term evidence. See the Compliance guide.
5. Governance server (multi-agent)
Centralized governance for multiple agents. Each agent connects via SDK, server handles policy, guardrails, audit, and compliance.
pip install 'agent-aegis[server]'
aegis-server37 REST endpoints + WebS
…